CVE-2025-59330: CWE-506: Embedded Malicious Code in Qix- node-error-ex
error-ex allows error subclassing and stack customization. On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 1.3.4.
AI Analysis
Technical Summary
CVE-2025-59330 is a high-severity supply chain vulnerability affecting the npm package 'node-error-ex' maintained by Qix-. The package provides error subclassing and stack customization functionality for JavaScript environments. On September 8, 2025, attackers successfully compromised the npm publishing account of 'error-ex' through a phishing attack. They published a malicious version 1.3.3 that was functionally identical to the previous patch but contained embedded malware targeting browser environments. Specifically, the malware attempts to intercept and redirect cryptocurrency transactions from wallets such as MetaMask to attacker-controlled addresses. This malicious payload activates only in browser contexts where the package is bundled and executed, for example, via direct script inclusion or through bundlers like Babel, Rollup, Vite, or Next.js. Local, server-side, or command-line environments using the package are unaffected. The npm registry promptly removed the compromised version on the same day to prevent further downloads. Subsequent patch versions (1.3.4 and later) were released on September 13 to invalidate caches, including those in private registries or mirrors. The vulnerability is categorized under CWE-506 (Embedded Malicious Code), highlighting the risk of supply chain compromise through malicious code injection. The CVSS 4.0 score is 8.8 (high), reflecting the network attack vector, no required privileges or user interaction, and significant impact on confidentiality and integrity of targeted cryptocurrency transactions. No known exploits in the wild have been reported yet. Remediation requires updating to version 1.3.4, clearing package manager caches, deleting node_modules directories, and rebuilding all browser bundles to purge the malicious code from deployed applications.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to web applications or browser-based tools that incorporate the compromised 'node-error-ex' package in their client-side bundles. Organizations involved in financial technology, cryptocurrency services, or any sector relying on browser-based crypto wallets are particularly vulnerable to theft of digital assets. The malware's ability to silently redirect cryptocurrency transactions undermines transaction integrity and confidentiality, potentially causing direct financial losses and reputational damage. Since the attack vector is supply chain compromise, organizations using private npm registries or mirrors may unknowingly continue to distribute the malicious version if caches are not properly purged. The impact is less severe for server-side or backend systems but remains critical for front-end applications. Additionally, the incident underscores the broader risk of npm package account takeover and the need for stringent developer account security. European regulatory frameworks such as GDPR and NIS2 may impose reporting obligations and penalties if customer data or assets are compromised due to insufficient supply chain security controls.
Mitigation Recommendations
1. Immediately update all instances of 'node-error-ex' to version 1.3.4 or later. 2. Completely remove the node_modules directory in all projects using this package to ensure no residual malicious code remains. 3. Clear all caches of package managers (npm, yarn, pnpm) including global caches to prevent reinstallation of the compromised version. 4. Rebuild all browser bundles from scratch to eliminate embedded malware in distributed JavaScript assets. 5. For organizations operating private npm registries or mirrors, purge all cached copies of version 1.3.3 and earlier compromised versions to prevent internal propagation. 6. Implement multi-factor authentication and phishing-resistant security measures on all developer accounts with publishing rights to critical packages. 7. Monitor network traffic for suspicious redirection patterns related to cryptocurrency transactions in browser environments. 8. Conduct audits of supply chain dependencies and consider adopting tools for automated detection of malicious code injections in dependencies. 9. Educate development teams about supply chain risks and secure package management best practices.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Sweden, Estonia
CVE-2025-59330: CWE-506: Embedded Malicious Code in Qix- node-error-ex
Description
error-ex allows error subclassing and stack customization. On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt. The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper. On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. Users should update to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch. Those operating private registries or registry mirrors should purge the offending versions from any caches. This issue is resolved in 1.3.4.
AI-Powered Analysis
Technical Analysis
CVE-2025-59330 is a high-severity supply chain vulnerability affecting the npm package 'node-error-ex' maintained by Qix-. The package provides error subclassing and stack customization functionality for JavaScript environments. On September 8, 2025, attackers successfully compromised the npm publishing account of 'error-ex' through a phishing attack. They published a malicious version 1.3.3 that was functionally identical to the previous patch but contained embedded malware targeting browser environments. Specifically, the malware attempts to intercept and redirect cryptocurrency transactions from wallets such as MetaMask to attacker-controlled addresses. This malicious payload activates only in browser contexts where the package is bundled and executed, for example, via direct script inclusion or through bundlers like Babel, Rollup, Vite, or Next.js. Local, server-side, or command-line environments using the package are unaffected. The npm registry promptly removed the compromised version on the same day to prevent further downloads. Subsequent patch versions (1.3.4 and later) were released on September 13 to invalidate caches, including those in private registries or mirrors. The vulnerability is categorized under CWE-506 (Embedded Malicious Code), highlighting the risk of supply chain compromise through malicious code injection. The CVSS 4.0 score is 8.8 (high), reflecting the network attack vector, no required privileges or user interaction, and significant impact on confidentiality and integrity of targeted cryptocurrency transactions. No known exploits in the wild have been reported yet. Remediation requires updating to version 1.3.4, clearing package manager caches, deleting node_modules directories, and rebuilding all browser bundles to purge the malicious code from deployed applications.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to web applications or browser-based tools that incorporate the compromised 'node-error-ex' package in their client-side bundles. Organizations involved in financial technology, cryptocurrency services, or any sector relying on browser-based crypto wallets are particularly vulnerable to theft of digital assets. The malware's ability to silently redirect cryptocurrency transactions undermines transaction integrity and confidentiality, potentially causing direct financial losses and reputational damage. Since the attack vector is supply chain compromise, organizations using private npm registries or mirrors may unknowingly continue to distribute the malicious version if caches are not properly purged. The impact is less severe for server-side or backend systems but remains critical for front-end applications. Additionally, the incident underscores the broader risk of npm package account takeover and the need for stringent developer account security. European regulatory frameworks such as GDPR and NIS2 may impose reporting obligations and penalties if customer data or assets are compromised due to insufficient supply chain security controls.
Mitigation Recommendations
1. Immediately update all instances of 'node-error-ex' to version 1.3.4 or later. 2. Completely remove the node_modules directory in all projects using this package to ensure no residual malicious code remains. 3. Clear all caches of package managers (npm, yarn, pnpm) including global caches to prevent reinstallation of the compromised version. 4. Rebuild all browser bundles from scratch to eliminate embedded malware in distributed JavaScript assets. 5. For organizations operating private npm registries or mirrors, purge all cached copies of version 1.3.3 and earlier compromised versions to prevent internal propagation. 6. Implement multi-factor authentication and phishing-resistant security measures on all developer accounts with publishing rights to critical packages. 7. Monitor network traffic for suspicious redirection patterns related to cryptocurrency transactions in browser environments. 8. Conduct audits of supply chain dependencies and consider adopting tools for automated detection of malicious code injections in dependencies. 9. Educate development teams about supply chain risks and secure package management best practices.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-09-12T12:36:24.634Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68c86d1cd09586c390afd44f
Added to database: 9/15/2025, 7:46:36 PM
Last enriched: 9/15/2025, 7:47:14 PM
Last updated: 9/19/2025, 6:36:48 AM
Views: 35
Related Threats
CVE-2025-8531: CWE-130 Improper Handling of Length Parameter Inconsistency in Mitsubishi Electric Corporation MELSEC-Q Series Q03UDVCPU
MediumCVE-2025-9906: CWE-502 Deserialization of Untrusted Data in Keras-team Keras
HighCVE-2025-9905: CWE-913 Improper Control of Dynamically-Managed Code Resources in Keras-team Keras
HighCVE-2025-7403: Write-what-where Condition in zephyrproject-rtos Zephyr
HighCVE-2025-10458: Improper Handling of Length Parameter Inconsistency in zephyrproject-rtos Zephyr
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.